Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).

Very nice by You at Mikrotik! It opened up a really nice feature! Thanks!!!!

The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.

Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick! Love the contrast as always you all are incredible!

Very thanksful Eng Druvis..! 🌹🙏

did that some years ago. works pretty good btw. druvis seems to be quite a fast typer ;)

Nice! Please consider adding Single Packet Authorization (fwknop) instead of the archaic port knocking method.

Nice presentation. Thanks

Please do cover the passphrase thing in a coming video. Thank you :)

Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\ "port scanners" add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \ comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \ psd=21,3s,3,1

Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.

Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.

In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???

Hey Druvis, the "low" part of "allow" is prounced like "loud" without the end "d" sound.

👏👏👏

Why not put this in prerouting of mangle?

Well... that looks like nice thing.

Knock, Knock, Who's there ? cAP ax

While this looks impressive and is technically "cool", it doesn't really add much in terms of security. Some ports need to be publicly available (webserver, etc.). All of them should be inherently secure. Hence it makes more sense to focus on hardening the services rather than adding some magic in front of it. Focussing on ports in terms of security feels like it's 1995 again 😂.

knock knock, who's there? isis

666. Lol, Druvis.

Wrote this .bat script to protect my ports. Works only with windows: @echo off set target_ip=11.22.33.44 set /a PacketSize1=111 set /a PacketSize2=222 set /a PacketSize3=333 set ip=%target_ip% set /a size1=%PacketSize1%-28 set /a size2=%PacketSize2%-28 set /a size3=%PacketSize3%-28 set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%; echo %info% CLS ping %ip% -l %size1% -n 2 CLS ping %ip% -l %size2% -n 2 CLS ping %ip% -l %size3% -n 2 CLS @echo off REM 2 sec hold ping -n 2 localhost>nul exit

fool consol use